b'      Department of Homeland Security\n\n\n\n            CBP Information Technology Management:\n                     Strengths and Challenges\n                            (Redacted)\n\n\n\n\nOIG-12-95                                       June 2012\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                      June 29, 2012\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of the U.S. Customs and Border\nProtection\xe2\x80\x99s Office of Information and Technology. It is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observations, and a\nreview of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                      Frank Deffer\n                                      Assistant Inspector General\n                                      Information Technology Audits\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\nBackground ..........................................................................................................................2\n\nResults of Audit ...................................................................................................................7\n\n   IT Management Capabilities ........................................................................................... 7\n   Recommendations ......................................................................................................... 16\n   Management Comments and OIG Analysis ................................................................. 16\n\n   IT Support of Mission Needs ........................................................................................ 17\n   Recommendations ......................................................................................................... 27\n   Management Comments and OIG Analysis ................................................................. 27\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................29\n     Appendix B:           Management Comments to the Draft Report .......................................31\n     Appendix C:           Major Contributors to This Report ......................................................36\n     Appendix D:           Report Distribution ..............................................................................37\n\nAbbreviations\n     ACE                         Automated Commercial Environment\n     ACS                         Automated Commercial System\n     ATS                         Automated Targeting System\n     BPETS                       Border Patrol Enforcement Tracking System\n     CIO                         Chief Information Officer\n     CBP                         U.S. Customs and Border Protection\n     DHS                         Department of Homeland Security\n     E3                          The Next Generation of Enforce\n     EA                          enterprise architecture\n     FY                          fiscal year\n     IT                          information technology\n     ITAR                        Information Technology Acquisition Review\n     MD                          Management Directive\n     OIT                         Office of Information and Technology\n     OMB                         Office of Management and Budget\n     SELC                        systems engineering life cycle\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                  We audited the U.S. Customs and Border Protection\xe2\x80\x99s (CBP)\n                  information technology management. The objective of our audit\n                  was to evaluate the Chief Information Officer\xe2\x80\x99s overall information\n                  technology management approach, including the extent to which\n                  information technology management practices have been put in\n                  place and the current information technology environment supports\n                  mission needs. Appendix A describes the audit\xe2\x80\x99s scope and\n                  methodology.\n\n                  The Chief Information Officer has implemented a strategic\n                  planning process, developed an enterprise architecture, and\n                  established a systems engineering life cycle process to guide and\n                  manage the agency\xe2\x80\x99s information technology environment.\n                  Additional progress is needed building the agency\xe2\x80\x99s target business\n                  architecture and implementing oversight of information technology\n                  spending across all programs and activities within the agency,\n                  which increases the risk of enterprise alignment challenges.\n\n                  Challenges remain, however, to ensure that the information\n                  technology environment fully supports CBP\xe2\x80\x99s mission needs.\n                  Specifically, systems availability challenges exist, due in part to\n                  aging infrastructure. Also, interoperability and functionality of the\n                  technology infrastructure have not been sufficient to support CBP\n                  mission activities fully. As a result, CBP employees have created\n                  workarounds or employed alternative solutions, which may hinder\n                  CBP\xe2\x80\x99s ability to accomplish its mission and ensure officer safety.\n\n                  We are recommending that the Chief Information Officer provide\n                  needed resources for enterprise architecture activities, ensure\n                  compliance with the information technology acquisition review\n                  process, develop a funding strategy for the replacement of outdated\n                  infrastructure, and reassess the existing requirements and\n                  technology insertion processes to address challenges in the field.\n\n\n\n\n            CBP Information Technology Management: Strengths and Challenges\n\n                                        Page 1\n\x0cBackground\n               CBP is the frontline border security agency within the Department\n               of Homeland Security (DHS). CBP is charged with the priority\n               mission of keeping terrorists and their weapons out of the United\n               States, while facilitating the flow of legitimate trade and travel.\n               CBP\xe2\x80\x99s responsibilities include apprehending individuals\n               attempting to enter the United States illegally; stemming the flow\n               of illegal drugs and other contraband; protecting agricultural and\n               economic interests from harmful pests and diseases; protecting\n               American businesses from theft of their intellectual property;\n               regulating and facilitating international trade; collecting import\n               duties; and enforcing U.S. trade laws. In fiscal year (FY) 2012,\n               CBP\xe2\x80\x99s budget was approximately $12 billion, 20 percent of DHS\xe2\x80\x99\n               overall budget of approximately $60 billion.\n\n               CBP has more than 58,000 employees nationwide and overseas.\n               CBP\xe2\x80\x99s workforce includes more than 20,000 Border Patrol agents\n               who protect the borders with Mexico and Canada; more than\n               20,000 CBP officers who screen passengers and cargo at over 300\n               ports of entry; nearly 1,000 Air and Marine interdiction agents who\n               prevent people and goods, including weapons, narcotics, and\n               conveyances, from illegal entry by air and water; more than 2,200\n               CBP agriculture specialists who work to curtail the spread of\n               harmful pests and plant and animal diseases; and nearly 2,500\n               employees in CBP revenue positions who collect over $30 billion\n               annually in entry duties and taxes through the enforcement of trade\n               and tariff laws. Additionally, CBP has 8,000 employees providing\n               operational and mission support. Figure 1 shows CBP\xe2\x80\x99s\n               organizational structure.\n\n\n\n\n         CBP Information Technology Management: Strengths and Challenges\n\n                                     Page 2\n\x0c      Figure 1. CBP Organizational Structure as of December 2011\n\n      CBP\xe2\x80\x99s Office of Information and Technology (OIT) provides\n      information technology (IT) services and products that enable CBP\n      to meet its missions. CBP, with an IT budget of $1.5 billion in\n      FY 2012, is the largest IT component within DHS, comprising 26\n      percent of the Department\xe2\x80\x99s $5.8 billion IT budget. OIT employs\n      5,399 IT staff\xe2\x80\x942,231 Federal employees and 3,168 contractors.\n      CBP\xe2\x80\x99s IT operational infrastructure\xe2\x80\x94\n             Supports more than 65,000 workstations;\n             Processes more than 26 billion database transactions per day;\n             Manages the largest DHS data center, with more than\n             70,000 square feet of floor space; and\n             Supports tactical communications infrastructure and\n             equipment for 1,100 tower sites with radio equipment and\n             more than 65,000 mobile and portable radios.\n\n      To manage CBP\xe2\x80\x99s critical IT environment, OIT is organized into\n      several offices. Five program offices provide IT expertise in their\n      respective areas. The Passenger Systems Program Office provides\n      application development and continued operational support of\n      traveler and immigration-related systems. The Cargo Systems\n      Program Office is responsible for the development, maintenance,\n      and deployment of systems and interfaces that support CBP, other\n      government agencies, and the trade community regarding the\nCBP Information Technology Management: Strengths and Challenges\n\n                             Page 3\n\x0c      importation, exportation, and control of merchandise shipments.\n      The Targeting and Analysis Systems Program Office provides\n      solutions that support CBP inspection and enforcement activities to\n      help CBP officers and analysts protect borders. The Border\n      Enforcement and Management Systems Program Office provides\n      concentrated support for border enforcement systems for the Office\n      of Border Patrol, the Office of Field Operations, and the Office of\n      Air and Marine. The Wireless Systems Program Office provides\n      expertise for tactical communications and related wireless efforts.\n\n      In addition, there are two enterprise IT management divisions. The\n      Enterprise Data Management and Engineering Division provides\n      enterprise solutions to optimize IT data integrity and accessibility\n      and ensure performance quality, reliability, and 24\xc3\x977 IT systems\n      availability to support border protection and the facilitation of\n      legitimate trade. The Enterprise Network and Technology Support\n      Division provides operational day-to-day technology support to all\n      CBP field locations, technology training, the enterprise wide area\n      network, security operations, and help desk services.\n\n      OIT has two additional support offices. The Field Support\n      Program Office provides onsite customer service and support to\n      CBP\xe2\x80\x99s 58,000 employees throughout the United States and\n      overseas to minimize service interruptions in support of the\n      mission. The Laboratories and Scientific Services Office provides\n      forensic and scientific testing in the areas of trade enforcement,\n      weapons of mass destruction, intellectual property rights, and\n      narcotics enforcement. Figure 2 shows the CBP OIT\n      organizational structure.\n\n\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 4\n\x0c      Figure 2. CBP\xe2\x80\x99s OIT Organizational Structure as of October 2011\n\n      IT systems play a critical role in enabling CBP to accomplish its\n      border security, trade, and travel missions. CBP\xe2\x80\x99s OIT supports\n      business processes with the design, development, programming,\n      testing, implementation, training, and maintenance of CBP\n      automated systems. Some of CBP\xe2\x80\x99s major commercial and\n      enforcement systems are listed below.\n\n      Commercial Systems\n           Automated Commercial System (ACS) - ACS is the system\n           CBP uses to track, control, and process all commercial\n           goods imported into the United States.\n           Automated Commercial Environment (ACE) - ACE is a\n           commercial trade processing system designed to automate\n           border processing. ACE will eventually replace ACS.\n\n      Enforcement Systems\n             Automated Targeting System (ATS) - ATS is an Intranet-\n             based enforcement and decision support tool that assists\n             CBP officers and analysts in selecting individuals or cargo\n             that pose a greater risk for violation of U.S. law for\n             additional screening.\n             TECS provides computer-based access to enforcement files\n             of common interest, online access to the Federal Bureau of\n             Investigation\xe2\x80\x99s National Crime Information Center, and an\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                             Page 5\n\x0c                                   interface with the National Law Enforcement\n                                   Telecommunications System.\n                                   The Next Generation of Enforce (E3) - E3 is a CBP-\n                                   developed transactional enforcement application that\n                                   captures all enforcement actions for Border Patrol agents\n                                   and CBP officers.\n\n                          The CBP Chief Information Officer (CIO) has undertaken an\n                          initiative to transform the way OIT provides IT support to CBP.\n                          This transformation initiative will replace CBP\xe2\x80\x99s aging IT\n                          infrastructure, which is costly to maintain. Most of OIT\xe2\x80\x99s budget\n                          goes toward operations and maintenance of this outdated\n                          infrastructure. At the same time, demand for IT services is\n                          growing and becoming more critical for CBP\xe2\x80\x99s mission. The CIO\n                          estimates that demand for storage and processing capacity is\n                          increasing at the rate of 50 percent per year. The CIO must\n                          address these issues within the confines of a declining IT budget.\n                          The OIT budget has decreased by $335 million since FY 2009 as\n                          funds were reallocated to pay for other CBP shortfalls.\n\n                          To address these challenges, OIT is leveraging technologies that\n                          enable it to operate and deliver customer capabilities more\n                          efficiently. To modernize the infrastructure, the CIO is working to\n                          replace obsolete technology, migrate to the DHS data center, and\n                          move toward private cloud infrastructure where possible.1 Further,\n                          the CIO is transitioning from mainframe to web-based applications\n                          and turning off less critical tools.2 The CIO also is planning to\n                          automate the data center and network management environment by\n                          implementing end-to-end monitoring processes that will provide\n                          greater visibility into the service levels and costs of services that\n                          support CBP\xe2\x80\x99s lines of business. Additionally, OIT is transforming\n                          its workforce and communications through efforts such as\n                          retraining its government employees and contractors and\n                          federalizing its workforce.\n\n\n\n\n1\n  Cloud computing is the delivery of computing as a service rather than a product, whereby shared\nresources, software, and information are provided to computers and other devices as a utility (like the\nelectricity grid) over a network such as the Internet.\n2\n  Mainframe computers are powerful computers used primarily by corporate and government organizations\nfor critical applications. After 2000, most modern mainframes have phased out classic terminal access for\nend users in favor of web user interfaces.\n\n                   CBP Information Technology Management: Strengths and Challenges\n\n                                                 Page 6\n\x0cResults of Audit\n        IT Management Capabilities\n                The CIO has taken several actions to support effective stewardship of IT\n                resources. Specifically, the CIO has implemented a strategic planning\n                process to ensure that OIT supports CBP and Department mission and\n                goals. In addition, the CIO has developed an enterprise architecture to\n                ensure that CBP\xe2\x80\x99s IT environment is aligned with the Department\xe2\x80\x99s\n                architecture, although additional progress is needed in certain key areas.\n                Finally, the CIO has implemented a systems engineering life cycle process\n                to manage IT programs from initiation through retirement. As a result,\n                OIT has critical capabilities in place to help ensure effective IT\n                management and guide future initiatives, such as the CIO\xe2\x80\x99s effort to\n                transform the way OIT does business over the next several years.\n\n                The CIO, however, does not have full oversight of IT spending across all\n                programs and activities within CBP. Specifically, CBP component offices\n                have submitted IT spending requests that were processed by procurement\n                without going through the IT Acquisition Review (ITAR) process.\n                Component noncompliance with ITAR occurred because component\n                offices and procurement personnel were unfamiliar with the process, and\n                the extended time taken for reviews has been a disincentive. IT\n                acquisitions that do not go through the ITAR process increase the risk of\n                security issues or enterprise alignment challenges.\n\n                        Strategic Planning\n\n                        The Government Performance and Results Act of 1993 holds\n                        Federal agencies responsible for strategic planning to ensure\n                        efficient and effective operations and use of resources to achieve\n                        mission results.3 Additionally, Office of Management and Budget\n                        (OMB) Circular A-130, as revised, instructs agency CIOs to create\n                        strategic plans that demonstrate how information resources will be\n                        used to improve the productivity, efficiency, and effectiveness of\n                        government programs.4 Finally, DHS Management Directive\n                        (MD) 0007.1 requires component CIOs to develop and implement\n                        an IT strategic plan that clearly defines how IT supports a\n                        component\xe2\x80\x99s mission and drives investment decisions, guiding the\n                        component toward its goals and priorities.5\n\n\n3\n  Public Law 103-62, Government Performance and Results Act of 1993, August 3, 1993.\n4\n  OMB Circular A-130, Management of Federal Information Resources.\n5\n  DHS, MD 0007.1, Information Technology Integration and Management, March 15, 2007.\n\n                  CBP Information Technology Management: Strengths and Challenges\n\n                                              Page 7\n\x0c                          The CIO has an effective strategic planning process in place to\n                          meet Federal requirements and departmental guidance. In 2008,\n                          the CIO implemented an IT strategic plan for FY 2009 through FY\n                          2015. In 2011, however, the CIO determined that it was necessary\n                          to draft a new plan to address shifts in the OIT budget, emerging\n                          technologies, and new departmental direction. The CIO was\n                          scheduled to implement a revised plan, the CBP OIT Strategic\n                          Implementation Plan FY 2012-2016, in March 2012. The draft\n                          plan identifies five broad goals, listed in table 1, for achieving\n                          OIT\xe2\x80\x99s mission over the next 4 years.\n\n                          Table 1. OIT Strategic Goals\n\n\n\n\n                          To accomplish these broad goals, the CIO has established specific\n                          objectives for each goal with associated key performance\n                          indicators. For example, to meet the goal to modernize and\n                          transform CBP\xe2\x80\x99s infrastructure, the plan identifies five objectives,\n                          including strengthening processes, moving toward the target\n                          technical architecture,6 and migrating to the Enterprise Data\n                          Center.7 For each of these objectives, the plan defines key\n                          performance indicators that will measure progress toward\n                          achieving this goal. The plan also identifies key initiatives related\n                          to each goal. For example, initiatives to use cloud-based services,\n                          complete field technology upgrades, and migrate systems off of\n                          mainframe platforms all contribute to achieving the goal to\n                          modernize and transform the infrastructure.\n\n\n6\n  The target technical architecture is the technical infrastructure that portrays the future or end-state\nenterprise.\n7\n  The Enterprise Data Center initiative encompasses the migration of 24 disparate DHS computing facilities\nto two geographically diverse, state-of-the-art, and secure enterprise data centers.\n\n                   CBP Information Technology Management: Strengths and Challenges\n\n                                                  Page 8\n\x0c                        The CBP OIT Strategic Implementation Plan FY 2012\xe2\x80\x932016 aligns\n                        with the goals identified in the DHS and CBP strategic plans. The\n                        plan is also aligned with the DHS Information Technology\n                        Strategic Plan 2011\xe2\x80\x932015 to ensure that CBP OIT supports the\n                        DHS CIO\xe2\x80\x99s department-wide IT goals. Table 2 shows the\n                        alignment of OIT goals with DHS and CBP goals.\n                        Table 2. Alignment of OIT Goals With CBP, DHS, and DHS CIO Goals\n\n\n\n\n                        The CIO\xe2\x80\x99s implementation of a well-aligned, up-to-date strategic\n                        plan will position OIT to provide effective support to meet mission\n                        requirements. An effective IT strategic plan helps focus limited\n                        resources and guide the direction of the OIT. If implemented as\n                        planned, the IT strategic plan will help CBP personnel fulfill their\n                        mission responsibilities.\n\n                        Enterprise Architecture\n\n                        The Clinger Cohen Act of 1996,8 as amended, and OMB circulars9\n                        mandate the establishment and use of an enterprise architecture\n                        (EA) to guide and direct government investments from inception\n                        through retirement. In addition, OMB Memorandum M-11-29,\n                        dated August 2011, states that CIOs must use an EA to consolidate\n\n8\n  Public Law No. 104-106, Division E, February 10, 1996. The law, initially titled the Information\nTechnology Management Reform Act of 1996, was subsequently renamed the Clinger-Cohen Act of 1996 in\nP. L. 104-208, September 30, 1996.\n9\n  OMB Circular A-130, Revised, Management of Federal Information Resources; and OMB Circular A-11,\nRevised, Preparation, Submission, and Execution of the Budget.\n\n                  CBP Information Technology Management: Strengths and Challenges\n\n                                              Page 9\n\x0c                        duplicative investments and applications.10 EA is a management\n                        practice designed to maximize the contribution of an agency\xe2\x80\x99s\n                        resources, IT investments, and system development activities to\n                        achieve mission performance goals.\n\n                        The CIO has developed an EA to align with the Department\xe2\x80\x99s\n                        architecture and guide CBP\xe2\x80\x99s IT environment. The 2010 DHS EA\n                        assessment identified CBP\xe2\x80\x99s EA program at stage four of the six\n                        stages of the EA Management Maturity Framework.11 CBP\xe2\x80\x99s EA\n                        maturity rating was the highest among DHS components. At stage\n                        four maturity, an organization has developed an approved version\n                        of its EA that is used for targeted results, such as guiding\n                        investment decisions. Figure 3 shows CBP\xe2\x80\x99s EA maturity within\n                        the stages of the EA Management Maturity Framework.\n\n\n\n\n                        Figure 3. Stages of EA Management Maturity Framework With CBP EA Maturity\n\n                        As a result of CBP\xe2\x80\x99s progress establishing its EA, the CIO has\n                        realized benefits through sharing, reuse, and standardization of IT\n                        resources. Specifically, in FY 2011 the EA Branch conducted 20\n                        architecture alignment reviews of investments that resulted in the\n                        identification of 90 architecture misalignments. The EA Branch\n                        addressed these misalignments through elimination of duplicate\n                        efforts and identification of consolidation, integration, and reuse\n                        opportunities to realize cost avoidance totaling $6.1 million. The\n                        CIO has also used the EA to eliminate systems that are no longer\n                        needed. For example, the EA Branch performed an analysis of\n                        border enforcement support systems that identified 16 systems for\n                        retirement, some of which were no longer being accessed or had\n                        been replaced by newer systems but had not yet been retired.\n\n\n\n\n10\n  OMB M-11-29, Chief Information Officer Authorities, August 8, 2011.\n11\n  GAO-10-846G, A Framework for Assessing and Improving Enterprise Architecture Management\n(Version 2.0), August 2010.\n\n                  CBP Information Technology Management: Strengths and Challenges\n\n                                              Page 10\n\x0c                            Development of Target Business Architecture\n\n                            Although CBP has developed an EA, the EA Branch has not\n                            analyzed the \xe2\x80\x9cAs-Is\xe2\x80\x9d business processes to identify efficiencies and\n                            fully develop a target \xe2\x80\x9cTo-Be\xe2\x80\x9d view of these processes.12 The EA\n                            Branch is currently building various segments of the \xe2\x80\x9cTo-Be\xe2\x80\x9d\n                            view. For example, the EA Branch worked to model \xe2\x80\x9cTo-Be\xe2\x80\x9d\n                            process flows for several CBP component offices in 2011. The EA\n                            Branch anticipates multiple iterations of the \xe2\x80\x9cTo-Be\xe2\x80\x9d business\n                            architecture as various segments are built out.\n\n                            Progress developing the \xe2\x80\x9cTo-Be\xe2\x80\x9d business architecture has been\n                            hindered, in part, by staffing and funding shortages. The EA\n                            Branch\xe2\x80\x99s staff of 23 employees falls short of its identified need for\n                            52 employees. Additionally, the EA Branch has absorbed a 50\n                            percent reduction in its operating budget over the past few years.\n                            With limited staff and a reduced budget, progress toward\n                            establishing the \xe2\x80\x9cTo-Be\xe2\x80\x9d business architecture has been delayed.\n\n                            Without a complete view of CBP\xe2\x80\x99s target EA, the CIO faces\n                            increased risks to efforts to modernize the way OIT provides\n                            support to CBP. An EA serves as a critical blueprint that can help\n                            ensure that OIT will meet current and future customer needs as the\n                            CIO transforms the way OIT does business. For example, an\n                            effective \xe2\x80\x9cTo-Be\xe2\x80\x9d architecture can identify potential efficiencies\n                            from the elimination of programs that may not align with future\n                            mission needs.\n\n                            Systems Engineering Life Cycle Process\n\n                            DHS Acquisition Directive 102-01, Appendix B, requires agencies\n                            to follow a systems engineering life cycle (SELC) process.13 The\n                            purpose of the DHS SELC is to establish a standard system life\n                            cycle framework across DHS components and to ensure that DHS\n                            IT capabilities are delivered efficiently and effectively.\n\n                            The CBP CIO has implemented the SELC process in compliance\n                            with departmental guidance. Specifically, OIT maintains an online\n                            process guide, which is CBP\xe2\x80\x99s implementation of the DHS SELC,\n\n12\n   Baseline architecture is the set of products that portray the existing enterprise, the current business\npractices, and technical infrastructure. It is commonly referred to as the \xe2\x80\x9cAs-Is\xe2\x80\x9d architecture. Target\narchitecture is the set of products that portray the future or end-state enterprise, generally captured in an\norganization\xe2\x80\x99s strategic thinking and plans. It is commonly referred to as the \xe2\x80\x9cTo-Be\xe2\x80\x9d architecture.\n13\n   DHS AD 102-01, Interim Version 1.9, Acquisition Directive, Instruction Appendix B, November 7,\n2008.\n\n                     CBP Information Technology Management: Strengths and Challenges\n\n                                                    Page 11\n\x0c      called the Enterprise Life Cycle Methodology and Online SELC.\n      This online tool provides a repository of approved project\n      management support processes and procedures, tools, and\n      templates. Figure 4 shows the phases of the DHS SELC and the\n      alignment of CBP\xe2\x80\x99s Enterprise Life Cycle Methodology phases.\n\n\n\n\n      Figure 4. DHS and CBP IT Life Cycle Alignment\n\n      CBP has also implemented a governance structure to ensure a level\n      of oversight of IT projects that is appropriate for the size of the\n      investment. IT investments with a life cycle cost of $300 million\n      and above are considered major acquisitions and are reviewed by\n      DHS. Investments below $300 million are reviewed within CBP\n      according to three levels. The CBP Executive Steering Committee\n      approves non-major acquisitions with a total life cycle cost from\n      $50 million to $300 million. The CBP Governance Board\n      approves non-major acquisitions with a total life cycle cost of\n      $10 million to under $50 million. The CBP Enterprise\n      Architecture Review Board approves non-major acquisitions with\n      a total life cycle cost of less than $10 million. Figure 5 shows the\n      delegation of decision authorities for non-major acquisitions to\n      CBP governance boards based on a program\xe2\x80\x99s life cycle cost.\n\n\n\n\n      Figure 5. CBP Decision Thresholds and Decision Authorities for Non-major\n      Acquisitions\n\n      OIT\xe2\x80\x99s implementation of the SELC has been effective for several\n      reasons. CBP had a SELC process in place prior to the\n      implementation of Acquisition Directive 102-01 in November\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 12\n\x0c      2008. OIT has a history of project management discipline,\n      including the use of its own SELC process, which enabled easier\n      migration of the organization\xe2\x80\x99s practices to the DHS SELC\n      process. OIT also had senior executive support and involvement,\n      strong program management, and SELC education and training\n      programs.\n\n      In addition to aligning with the DHS SELC, CBP\xe2\x80\x99s system\n      engineering governance processes are streamlined and clearly laid\n      out to ensure adherence and compliance. The benefits of this\n      improved process include artifact standardization across programs\n      throughout DHS, reduced risk because of known standard criteria\n      in the internal and external reviews, and the program\xe2\x80\x99s ability to\n      meet their scope within schedule and cost. According to the OIT\n      official responsible for the process, all applicable IT projects\n      within CBP go through the SELC process. These IT engineering\n      governance processes enable CBP to make IT investment decisions\n      that will support both CBP and DHS strategic goals.\n\n      IT Acquisition Review\n\n      DHS MD 0007.1 requires IT acquisitions valued at $2.5 million or\n      greater to be submitted to the DHS CIO for review. The directive\n      also requires agency CIOs to implement an ITAR process for IT\n      acquisitions below $2.5 million. ITAR is required before the\n      award of an IT procurement to ensure alignment of acquisitions\n      with IT policy, standards, objectives, and goals across DHS.\n\n      The CBP CIO began submitting IT acquisitions valued at\n      $2.5 million and above to the DHS CIO in FY 2007. That year,\n      the CBP CIO submitted 77 IT acquisitions for review. The number\n      of acquisitions submitted peaked at 198 in FY 2009. The number\n      of IT acquisitions submitted to the DHS CIO for review has\n      declined since FY 2009 due to an overall decrease in new initiative\n      funding, according to OIT officials. Figure 6 shows the number of\n      IT acquisitions submitted to the DHS CIO for review from FY\n      2007 to FY 2011.\n\n\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 13\n\x0c      Figure 6. IT Acquisition Reviews \xe2\x89\xa5 $2.5 Million Submitted to the DHS CIO\n      (FY 2007 to FY 2011)\n\n      The CBP CIO has also taken steps to ensure compliance with the\n      ITAR requirement by implementing an ITAR process in FY 2009\n      to review IT acquisitions with costs below $2.5 million and above\n      $1 million. In FY 2009, the CBP CIO reviewed 75 IT acquisitions.\n      The number of ITAR reviews declined in 2011 as new initiative\n      funding has decreased. Figure 7 shows the number of ITAR\n      reviews below $2.5 million and above $1 million from FY 2009\n      through FY 2011.\n\n\n\n\n      Figure 7. IT Acquisition Reviews Below $2.5 Million and Above $1 Million\n      Conducted by the CBP CIO (FY 2009 to FY 2011)\n\n      ITAR Compliance\n\n      Although the CBP CIO has made progress implementing the ITAR\n      process, not all IT acquisitions that met the dollar threshold and\n      criteria for review have gone through the process. Specifically,\n\nCBP Information Technology Management: Strengths and Challenges\n\n                             Page 14\n\x0c      CBP component office IT acquisitions were processed and\n      approved by procurement without going through the ITAR review.\n      OIT personnel run monthly reports to identify procurements that\n      appear to be IT and have been awarded without ITAR review.\n      These reports have identified nearly a dozen acquisitions that were\n      IT related and were awarded without CIO review. For example,\n      OIT personnel have identified IT procurements for human\n      resources systems, financial systems, and border security systems\n      that did not go through ITAR.\n\n      Noncompliance with ITAR occurs because CBP component\n      offices do not always follow applicable guidance. According to\n      agency guidance, CBP component offices are required to submit\n      acquisitions that meet the ITAR criteria to the CIO before\n      submitting them to procurement. The CBP Commissioner issued a\n      memorandum in March 2008 to require that CBP component\n      offices comply with the ITAR process. This memorandum\n      instructed CBP component organizations to submit applicable\n      acquisitions to OIT for approval. Since this March 2008 memo,\n      however, compliance challenges remain.\n\n      One reason noncompliance remains a challenge for the CIO is the\n      perception that the ITAR process has taken an extended time to\n      complete. During an OIT workshop in FY 2010, the ITAR process\n      was identified as a key process in need of improvement.\n      Specifically, participants at the workshop concluded that ITAR\n      should be redesigned to institutionalize a consistent, enterprise-\n      wide approach to processing IT investment acquisition requests.\n\n      OIT has taken a number of steps to improve compliance with\n      ITAR. Specifically, OIT personnel have met with the procurement\n      directorate branch chiefs and the budget officers of other CBP\n      offices to advise them of the ITAR requirement and request their\n      assistance in helping to ensure that all applicable CBP acquisitions\n      follow the process. In addition, OIT personnel reach out to\n      respective CBP component offices to remind them of the process\n      and offer training when noncompliance is identified. Finally, OIT\n      personnel work with CBP component offices to assure them that\n      the ITAR reviews will be processed in a timely manner.\n\n      Limitations with ITAR compliance have an impact on the CIO\xe2\x80\x99s\n      ability to manage CBP\xe2\x80\x99s IT environment effectively. IT acquisition\n      reviews enable the CIO to align IT acquisitions with CBP IT\n      policies, standards, objectives, and goals. ITAR also helps the CIO\n      validate CBP\xe2\x80\x99s alignment with the DHS enterprise architecture and\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 15\n\x0c       ensure compliance with security and accessibility requirements.\n       However, IT acquisitions that do not go through this process do not\n       go through these alignment reviews and create a risk to CBP\xe2\x80\x99s IT\n       environment.\n\nRecommendations\n       We recommend that the Assistant Commissioner, Office of\n       Information and Technology:\n\n       Recommendation #1: Provide the necessary resources to\n       complete required enterprise architecture activities.\n\n       Recommendation #2: Implement a plan to ensure the timeliness\n       of the ITAR review process and to communicate this process to\n       component offices and procurement to achieve full compliance.\n\nManagement Comments and OIG Analysis\n       We obtained written comments on a draft of this report from the\n       Assistant Commissioner, Office of Internal Affairs. We have\n       included a copy of the comments in their entirety in appendix B.\n\n       In the comments, the Assistant Commissioner concurred with our\n       recommendations and provided details on steps being taken to\n       address specific findings and recommendations in the report. We\n       have reviewed management\xe2\x80\x99s comments and provided an\n       evaluation of the issues outlined in the comments below.\n\n       In response to recommendation one, the Assistant Commissioner\n       concurred and stated that CBP will attempt to provide resources\n       sufficient to complete required enterprise architecture activities.\n       The Assistant Commissioner also provided details about initiatives\n       underway, within the resources currently available, to support\n       enterprise architecture activities effectively. We recognize the\n       establishment of the Transformation Support and Management\n       Group as progress toward a more integrated approach to provided\n       resources to support enterprise architecture development. The\n       Assistant Commissioner requested closure of this recommendation;\n       however, we require additional evidence of the positive impact of\n       actions taken before closing this recommendation.\n\n       In response to recommendation two, the Assistant Commissioner\n       concurred and stated that the OIT Financial Management Group\n       would establish outreach efforts, in addition to those already in\n\n CBP Information Technology Management: Strengths and Challenges\n\n                             Page 16\n\x0c                           place, to achieve full compliance with the ITAR process. We\n                           recognize this action as a positive step toward addressing\n                           recommendation two. The Assistant Commissioner requested\n                           closure of this recommendation; however, we require additional\n                           evidence of the positive impact of actions taken before closing this\n                           recommendation.\n\n           IT Support of Mission Needs\n                   Although the CIO has implemented several key IT management practices,\n                   challenges remain in ensuring that the IT environment fully supports\n                   CBP\xe2\x80\x99s mission needs. Specifically, OIT faces challenges with system\n                   availability, including periodic outages of critical security systems.\n                   Systems outages have occurred in part because of aging infrastructure,\n                   which has not been updated as required because of funding reductions. In\n                   addition, the interoperability and integration of the IT infrastructure have\n                   not been sufficient to support CBP mission activities fully, due to lengthy\n                   requirements gathering and technology insertion processes. As a result,\n                   staff have created workarounds and employed alternative solutions to\n                   accomplish the mission, including assigning agents to perform duplicative\n                   data entry\xe2\x80\x94instead of enforcement duties in the field\xe2\x80\x94and operating\n                   stand-alone, non-approved IT. Such activities may hinder CBP\xe2\x80\x99s ability to\n                   safeguard borders, foster the Nation\xe2\x80\x99s economic security through lawful\n                   international trade and travel, and ensure officer safety.\n\n                           Availability and Outages\n\n                           DHS MD 0007.1 states that the component CIO is responsible for\n                           acquiring, developing, operating, and maintaining all mission-\n                           related systems and services. In addition, under the Paperwork\n                           Reduction Act of 1995, as amended, and the Clinger-Cohen Act of\n                           1996, as amended, agencies are required to acquire, manage, and\n                           use IT to improve mission performance, and plan in an integrated\n                           manner for managing their IT architecture.14\n\n                           OIT has faced challenges with system availability. Specifically,\n                           results from the 2010 OIT Customer Satisfaction Survey indicated\n                           that system availability had declined over the prior 2 years. The\n                           survey asked CBP component personnel from various offices,\n                           including the Office of Air and Marine, the Office of Border\n                           Patrol, and the Office of Field Operations, whether system\n                           availability had improved, declined, or did not change. The results\n                           show increases across these organizations in respondents who said\n\n14\n     Public Law 104-13, Paperwork Reduction Act of 1995, May 22, 1995.\n\n                     CBP Information Technology Management: Strengths and Challenges\n\n                                                 Page 17\n\x0c      availability had declined. For example, in 2008, 11 percent of\n      respondents from the Office of Air and Marine indicated that\n      system availability had declined, whereas in 2010 28 percent of\n      respondents indicated that availability had declined. Survey\n      respondents identified several systems that were continuously\n      experiencing availability challenges, such as the Vehicle Primary\n      Client, which processes and documents travelers entering the\n      United States by vehicle at land ports of entry. Figure 8 shows the\n      decline in customer satisfaction with system availability.\n\n\n\n\n      Figure 8. Increase in Customer Dissatisfaction With Availability, From OIT\n      Customer Satisfaction Survey for 2010\n\n      Periodic outages of critical security systems, such as the Secure\n      Flight system, have also been reported. Secure Flight is a program\n      that enhances the security of air travel through a streamlined watch\n      list matching process. A report on Secure Flight outages from\n      January to June 2011 identified outages. Of these outages,\n          were related to DHS computer systems managed by CBP,\n      which supports parts of the Secure Flight infrastructure. Some\n      outages were prolonged. For example,\n\n                                                                       OIT\n      determined that the cause of this outage\n\n\n      Aging Infrastructure\n\n      Challenges with systems availability and outages occur in part\n      because of aging infrastructure that has not been updated as\n\n\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                             Page 18\n\x0c                           required. One high-level OIT official estimated that 70 percent of\n                           CBP\xe2\x80\x99s infrastructure is more than 4 years old. One part of the\n                           infrastructure that has not been updated as required is network\n                           components such as servers, routers, and switches.16 For example,\n                           servers are typically replaced every 3 years; however, CBP has a\n                           large number of servers that were being used beyond this\n                           recommended life cycle. Specifically, at CBP\xe2\x80\x99s data center the\n                           average age of servers was 6.5 years. Figure 9 shows that only 29\n                           percent of the data center\xe2\x80\x99s servers were within the recommended\n                           life cycle, while 54 percent were 4 to 7 years old, and 17 percent\n                           were 8 to 12 years old.\n\n\n\n\n                           Figure 9. Age of CBP Servers as of December 2011\n\n                           Similarly, CBP field personnel rely on obsolete network routers\n                           and switches. Switches are typically replaced every 5 to 6 years.\n                           However, OIT leadership said that CBP has network switches that\n                           are 12 to 14 years old.\n\n                           Certain field personnel also have been using obsolete computers.\n                           Some CBP component offices, such as the Office of Border Patrol,\n                           have had funding available to replace computers on a 3-year cycle.\n                           Other offices, however, such as the Office of Field Operations,\n                           have not followed a regular replacement schedule. In several field\n                           locations that we visited, IT support personnel had replaced\n                           outdated computers with retired Border Patrol computers because\n                           they were much newer than the computers still in use by other\n                           offices at these locations.\n\n16\n  Routers connect a network, acting as dispatchers to choose the best path for information to travel so it is\nreceived quickly. A server is a computer dedicated to running one or more services to serve the needs of\nusers of other computers on the network.\n\n                    CBP Information Technology Management: Strengths and Challenges\n\n                                                   Page 19\n\x0c      Funding for Operations and Maintenance\n\n      OIT has not replaced old infrastructure because of funding\n      reductions. Specifically, OIT\xe2\x80\x99s budget has been cut by $335 million\n      since 2009, and further cuts are expected in coming years. CBP\n      has a $557.8 million investment to maintain CBP\xe2\x80\x99s infrastructure\n      across 10 areas, including updating network infrastructure and\n      computers. However, this investment is at risk. The DHS CIO has\n      designated this project as a medium-risk project on the Federal IT\n      dashboard. The Federal IT dashboard assigns major investments a\n      numeric score and a color code associated with the risk level. A\n      score of five is low risk, which is identified as \xe2\x80\x9cgreen,\xe2\x80\x9d and a score\n      of one is high risk, which is identified as \xe2\x80\x9cred.\xe2\x80\x9d CBP\xe2\x80\x99s\n      infrastructure maintenance investment scored a three with a color\n      code of \xe2\x80\x9cyellow,\xe2\x80\x9d associated with a medium-risk project. The\n      assessment of this investment indicated that it is a medium-risk\n      project because of delays caused by limited funding.\n\n      OIT leadership has briefed CBP program offices on the risk of\n      outages and the need for CBP to allocate funding toward operations\n      and maintenance to avoid critical interruptions that have an impact\n      on CBP\xe2\x80\x99s mission. Maintaining an aging infrastructure is costly,\n      and the CIO plans to reduce overall operations and maintenance\n      costs by modernizing the infrastructure. However, with more\n      budget cuts pending, OIT is reliant on CBP leadership to prioritize\n      funding for maintaining and transforming the infrastructure.\n\n      In addition, some field personnel with whom we spoke said that\n      the responsibility for operations and maintenance costs in the field\n      was not always clearly defined. For example, at one field location,\n      Border Patrol personnel had purchased a document management\n      system with the expectation that OIT would cover the operations\n      and maintenance costs. IT field personnel were not authorized or\n      trained to perform database management, and the vendor charged a\n      $12,000 annual fee for maintenance. Because of the lack of clarity\n      on who was responsible for paying for operations and maintenance,\n      this fee was not paid for several years and, therefore, the\n      maintenance was not performed. Due to the lack of maintenance,\n      this aging system was becoming unstable, and there was a risk that\n      the system would fail and all local Border Patrol documents would\n      be lost.\n\n\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 20\n\x0c      Reduced IT Support in the Field\n\n      Another factor affecting system availability is the reduction in\n      technology field support personnel due to budget cuts. Specifically,\n      as OIT moved toward a centralized help desk structure, field\n      technology support was reduced by 166 personnel, from 785 to\n      619, in 2009. With reduced numbers, technology personnel in the\n      field had difficulty supporting numerous geographically dispersed\n      sites that may be hard to access. For example, in some areas in the\n      Northwest it can be an all-day drive for technology field support\n      personnel to get to a site. Furthermore, some locations have a\n      small number of technology support personnel to cover a large\n      area, which can lead to downtime if multiple sites need support\n      simultaneously.\n\n      In addition, as field operations expanded there was often no\n      commensurate expansion of IT support. For example, at a new\n      Border Patrol facility in Tucson, intelligence personnel lost\n      information because IT field support personnel did not verify that\n      30-day server backups were occurring. Intelligence officers had to\n      recreate numerous reports on organizations and individuals being\n      targeted, such as smuggling organizations. The manager of this\n      office said that this mistake would have been avoided with a\n      dedicated IT support person. When this new facility was created,\n      however, additional resources for technology support were not\n      factored in, and technology support personnel in this sector were\n      stretched too thin. The field IT support personnel said that they are\n      in a reactive mode of fixing what breaks, whereas the goal should\n      be to be proactive.\n\n      Bandwidth\n\n      Increasing demand for bandwidth has also contributed to system\n      availability challenges. Commercial network providers do not\n      offer service in many of the areas where CBP operates;\n      consequently, it is costly to provide adequate bandwidth in some\n      areas. In addition, CBP is transitioning mainframe systems to\n      web-based systems. For example, TECS and ACE, two of CBP\xe2\x80\x99s\n      largest enterprise systems, are being modernized and moved off of\n      the mainframe. Demand for bandwidth increases as more\n      applications become web-based. As a result, CBP personnel in\n      areas with limited bandwidth have increased difficulty accessing\n      required systems.\n\n\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 21\n\x0c      As a result of availability challenges and outages, CBP faces\n      critical impediments to achieving its border security, trade, and\n      travel missions effectively. For example, for every hour of\n      downtime, 46,000 people and 3,000 containers back up at the\n      borders, seaports, or airports during normal operations; during\n      peak hours as many as 120,000 people may be affected. A\n      nationwide passenger outage of more than 2 hours would cause\n      significant problems for air travel and land borders, and a 1-day\n      nationwide outage affecting cargo would have national economic\n      consequences. This was evident on August 11, 2007, when a\n      network outage at the Los Angeles International Airport prevented\n      CBP from conducting its normal operations for approximately 10\n      hours and affected more than 17,000 passengers.\n\n      Interoperability and Functionality\n\n      OIT faces challenges with external interoperability and internal\n      functionality. Specifically, in some regions, CBP employees do\n      not use digital radio communications or have access to websites\n      and software provided by external partners. In addition,\n      enterprise-wide systems do not meet all CBP users\xe2\x80\x99 requirements,\n      such as for internal reporting, needed to support CBP\xe2\x80\x99s mission.\n\n      External Interoperability\n\n      Office of Border Patrol staff cannot communicate seamlessly with\n      Federal, State, and local partners in all sections of the country.\n      Specifically, staff in some regions are using analog radios, which\n      creates communications barriers with partners such as the U.S.\n      Coast Guard and local, county, and State law enforcement\n      organizations. For example, in 2009, CBP agents in one location\n      were unable to share information with the U.S. Coast Guard\n      through a secure mode for approximately 3 to 6 months. When the\n      U.S. Coast Guard switched from analog communications to digital\n      communications, CBP staff in the region lost the ability to share\n      encrypted information with the U.S. Coast Guard. Once notified\n      of the inability to communicate securely, CBP field technicians\n      resolved the issue by programming the radios to allow\n      communication between the two agencies. Had there been an\n      emergency situation, however, staff would not have been able to\n      communicate effectively. According to CBP OIT field support\n      staff, this interruption in communication could have been avoided\n      if standard methods of notifications for changes to tactical\n      communications had been available.\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 22\n\x0c      In addition, CBP faces communication challenges with State and\n      local partners in some regions. Specifically, in some regions, key\n      partners use digital communications, while Border Patrol agents in\n      the same communities may use analog communications. After\n      September 11, 2001, State and local officials\xe2\x80\x99 radios switched to\n      digital communications. However, Office of Border Patrol staff in\n      some regions cannot communicate with radios at that frequency.\n      In these regions, State and local interoperability is provided by the\n      use of two portable radios and a direct line to a dispatch center at\n      the Office of Border Patrol. For example, in one location a Border\n      Patrol agent on duty in the field might reach out to local law\n      enforcement for assistance and backup support. Without digital\n      radio communications, the agent must use the dispatch center to\n      connect to the local law enforcement office for assistance. Staff\n      reported that communicating through the dispatch center is not\n      always feasible because it requires an open line, and it takes longer\n      than using direct digital radio communications. The use of two\n      portable radios for communication between Border Patrol and\n      other partners also has challenges. If an agent forgets the Border\n      Patrol radio, the agent cannot keep the home office informed of his\n      or her needs, and local law enforcement must call the Border Patrol\n      office to let it know, for example, when the officer is in pursuit.\n\n      The current radio environment in certain regions contributes to\n      officer safety challenges and threats to security around the\n      Nation\xe2\x80\x99s borders. Analog radio communication in some regions is\n      unencrypted, which may result in unsecure communications.\n      While the dispatch center aids in communication, it is not an ideal\n      environment for mission operations. For example, staff at one\n      Border Patrol sector described an environment in which dispatchers,\n      trained to operate multiple phones simultaneously and to cover the\n      entire State and partners such as the U.S. Coast Guard, may \xe2\x80\x9cburn\n      out.\xe2\x80\x9d Border Patrol staff then must train additional staff to work in\n      the dispatch center. In addition, staff with whom we met agreed\n      that scrambling to find a radio to contact the office might distract\n      an agent from enforcement and surveillance activities. Further, if\n      the dispatch connection were to go down, the agent might be\n      disconnected from sufficient outside support.\n\n      Office of Air and Marine staff with whom we met reported\n      challenges in accessing the government and military-issued web\n      sites they need to accomplish their missions. For example, they\n      reported being unable to access critical government web sites\n      necessary for mission activities such as setting up a flight plan.\n      Such web sites include the National Geospatial Intelligence\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 23\n\x0c      Agency web site, Army Knowledge Online, the Joint Technical\n      Data Integration web site, and aviation weather web sites. In\n      addition, Air and Marine staff reported being unable to use key\n      software necessary for planning routes, charts, and flights, as well\n      as aircraft maintenance for select aircraft, because the software was\n      not on the approved technology list.\n\n      As a result, the Office of Air and Marine staff set up stand-alone\n      computers to view the inaccessible web sites and to install the\n      military software to meet their needs. Stand-alone computers may\n      create security, integration, and maintenance challenges. OIT\n      Field Technology Officers cannot maintain IT that is not on the\n      approved list. Therefore, if a non-approved IT product breaks,\n      OIT staff are not authorized to fix it. Non-approved technology\n      creates security challenges. In addition to operating stand-alone\n      computers, staff may place non-approved IT on the network\n      without realizing that the information could be compromised.\n      Since non-approved technology has not been approved or tracked\n      by OIT, Information Systems Security Officers throughout CBP\n      may not be aware it exists, and it could compromise network\n      security.\n\n      Internal Functionality\n\n      CBP staff face challenges in transferring and sharing data locally\n      or internally as well. For example, Office of Air and Marine staff\n      said that they needed to transfer unencrypted data from the aircraft\n      digital video recorders onto computers, where it can be shared on\n      the network for evidence and intelligence purposes. Because DHS\n      policy prevents the use of portable media devices, staff obtained a\n      waiver to transfer unencrypted data from the aircraft to network\n      computers. In addition, the agency bought approximately 20 scope\n      trucks at an estimated $450,000 each for Border Patrol offices.\n      Border Patrol agents in one region reported that an agent using a\n      scope truck in the field can view live video from the truck\xe2\x80\x99s mobile\n      video surveillance system, which includes two cameras. However,\n      the video feed cannot be recorded or sent over the network.\n      Therefore, agents cannot view the feed from the command center\n      or use it as evidence.\n\n      In addition, some enterprise systems and applications do not\n      include the reporting functionality that users need at the field\n      component or program level. For example, E3, an enterprise-wide\n      system, does not capture the information that field personnel need\n      on the form generated for each illegal alien transported through the\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 24\n\x0c      Alien Transfer Exit Program. Approximately seven Border Patrol\n      sectors in the Southwest are involved with this program. To\n      overcome this system limitation, since December 2010, agents in\n      one sector have entered identical information each day pertaining\n      to hundreds of individuals into both E3 and Excel in order to\n      produce the required reports that E3 alone cannot produce. The\n      reports include lists of transferred illegal aliens and other\n      information that helps CBP determine the most effective\n      operations. According to a site supervisor, multiple entry may\n      increase the possibility of data integrity issues. Furthermore, when\n      agents spend time reentering data, they are not spending that time\n      on other duties, such as enforcement activities in the field.\n\n      The Border Patrol Enforcement Tracking System (BPETS), an\n      enterprise-wide system, also does not sufficiently meet the local\n      reporting needs of field components. Specifically, staff in one\n      sector have implemented duplicate and even triplicate reporting at\n      the local level for some functions, including checkpoint activity\n      reports, scheduling reports, zone activity reports, and intelligence\n      reports. OIT staff reported that the input fields within BPETS\n      were too restrictive to provide the level of reporting that local\n      managers needed for planning and oversight, and that the system\n      did not generate useful, consolidated reports. As a result, agents at\n      these stations spent time duplicating or augmenting the required\n      information for locally generated reports, using time that could be\n      spent in direct support of enforcement duties or personnel\n      management.\n\n      Requirements and Technology Insertion\n\n      OIT has established a requirements gathering process, but it does\n      not fully support mission needs and is unclear to some staff with\n      whom we met in the field. Each program office within OIT, such\n      as the Border Enforcement and Management Systems Program\n      Office, the Wireless Systems Program Office, and the Passenger\n      Systems Program Office, has its own processes for meeting its\n      customers\xe2\x80\x99 needs and prioritizing requirements. CBP IT\n      leadership noted challenges with the requirements process,\n      including the length of time it takes to compile and implement\n      requirements. Field staff with whom we met were sometimes\n      unclear on how to share requirements or were not sure that their\n      voices were being heard. For example, field staff might send a\n      request, including what they need and why they need it, \xe2\x80\x9cup the\n      chain\xe2\x80\x9d or through OIT. But staff with whom we met, including\n      OIT staff, were not uniformly convinced that the process moved\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 25\n\x0c      forward.\n\n      OIT has also established a process for customers to request\n      approval for new technology if a gap between a business need and\n      the existing list of approved IT is identified. CBP\xe2\x80\x99s Technical\n      Reference Model contains the status of IT products and the degree\n      to which CBP customers can use them. Customers may initiate\n      requests for new technology through the Intranet. Upon reviewing\n      and researching a customer\xe2\x80\x99s request, OIT staff may approve the\n      request and add the IT product to the Technical Reference Model.\n      OIT staff in the field, however, reported that the technology\n      insertion process was not an easy or quick process. One\n      representative from OIT leadership said that it took 4 months to\n      add new products to the Technical Reference Model. In addition, a\n      customer may request that specific software be installed, but when\n      field support staff search the Technical Reference Model, the\n      version that is listed is one to two versions old. Staff said that the\n      list was not consistently current and kept up to date, and that newly\n      approved software might not be on the list.\n\n      CBP is taking steps to improve the requirements process.\n      Specifically, OIT has created governance boards to address and\n      streamline requirements, which is critical to resolve emergencies,\n      reduce redundant efforts, and identify priorities. For example,\n      matters deemed to be emergencies, such as issues affecting officer\n      safety, are resolved through processes established by the OIT\n      Change Control Board. OIT has established the Customer Entry\n      Point Governance Board, composed of senior executives from each\n      OIT division, to review major OIT efforts and reduce duplication\n      of efforts. Further, OIT has created the Requirements Management\n      User Group in an effort to standardize the process for the\n      management of requirements throughout OIT.\n\n      In addition, OIT has initiated outreach activities to operational\n      components. In October 2011, OIT leadership briefed key CBP\n      offices on the status of OIT, during which staff learned about\n      transformation efforts and the need for operational components to\n      prioritize needs before providing them to OIT. In addition, OIT\n      held monthly outreach meetings with the Office of Border Patrol,\n      the Office of Air and Marine, the Office of Human Resources\n      Management, the Office of Field Operations, and the Office of\n      International Affairs. During these meetings, staff from these\n      operational components brought forward IT issues and concerns,\n      which were then tracked as they were resolved.\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 26\n\x0c       As a result of IT not completely meeting user needs, CBP\n       employees have created workarounds or employed alternative\n       solutions that may have an impact on the agency\xe2\x80\x99s ability to\n       protect its frontline officers, secure the Nation\xe2\x80\x99s borders, and\n       ensure lawful trade and travel. Unsecured and insufficient\n       communication can create safety risks for agents, officers, and\n       other frontline staff. In addition, integration and interoperability\n       gaps, such as the use of stand-alone computers or systems that do\n       not communicate with each other, can lead to missed links and\n       opportunities to gather the critical intelligence necessary to prevent\n       illegal entry into the United States; stop terrorists and drug\n       smugglers; and foster safe, legitimate trade and travel.\n\nRecommendations\n       We recommend that the Assistant Commissioner, Office of\n       Information and Technology:\n\n       Recommendation #3: Develop a funding strategy to ensure\n       replacement of outdated infrastructure in order to address\n       availability challenges and outages.\n\n       Recommendation #4: Implement a plan to address gaps in the\n       existing requirements and reassess the technology insertion process\n       to address functionality and interoperability challenges in the field.\n\nManagement Comments and OIG Analysis\n       We obtained written comments on a draft of this report from the\n       Assistant Commissioner, Office of Internal Affairs. We have\n       included a copy of the comments in their entirety in appendix B.\n\n       In response to recommendation three, the Assistant Commissioner\n       concurred and said that CBP has been working on an initiative to\n       respond to the infrastructure needs of the Office of Field\n       Operations, the Office of Border Patrol, and the Office of Air and\n       Marine. He also said that CBP has been reporting on this initiative\n       in response to a prior recommendation from our February 2011\n       report, Planning and Funding Issues Hindered CBP\xe2\x80\x99s\n       Implementation of the System Availability Project. Our current\n       report\xe2\x80\x99s finding and recommendation, however, go beyond the\n       scope of the 2011 report, which focused on CBP\xe2\x80\x99s planning to\n       reduce the risk of outages at border stations and ports of entry in\n       the field. This report addresses availability challenges with\n       network infrastructure in the field, as well as at headquarters.\n\n CBP Information Technology Management: Strengths and Challenges\n\n                             Page 27\n\x0c      Therefore, we do not agree that the June 2011 strategy for\n      replacing outdated infrastructure is sufficient to address this\n      recommendation. Before closing this recommendation, we require\n      additional evidence of a funding strategy to address CBP\xe2\x80\x99s\n      challenges with outdated infrastructure in the field as well as at\n      headquarters.\n\n      In response to recommendation four, the Assistant Commissioner\n      concurred with the recommendation and stated that CBP has\n      already taken action to increase automation of the technology\n      insertion process. Further, the Assistant Commissioner said that\n      the OIT Chief Technology Officer agreed to reassess the\n      automated implementation as part of an annual process review.\n      We recognize this action as a positive step toward addressing this\n      recommendation. This recommendation will remain open pending\n      evidence of further progress in this regard.\n\n\n\n\nCBP Information Technology Management: Strengths and Challenges\n\n                            Page 28\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                    As part of our ongoing responsibilities to assess the\n                    efficiency, effectiveness, and economy of departmental programs\n                    and operations, we conducted an audit to evaluate the CBP CIO\xe2\x80\x99s\n                    overall IT management approach, including the extent to which IT\n                    management practices have been put in place and the current IT\n                    environment supports mission needs.\n\n                    We researched and reviewed Federal laws, management directives,\n                    and agency plans and strategies related to IT systems, management,\n                    and governance. We obtained published reports, documents, and\n                    news articles regarding CBP\xe2\x80\x99s management and use of IT.\n                    Additionally, we reviewed recent Government Accountability\n                    Office and DHS OIG reports to identify prior findings and\n                    recommendations. We used this information to establish a data\n                    collection approach that consisted of focused interviews,\n                    documentation analysis, site visits, and system demonstrations to\n                    accomplish our audit objectives.\n\n                    We held interviews and teleconferences with CBP staff at\n                    headquarters and field offices. Collectively, we held more than 60\n                    meetings with headquarters officials, field office officials, and\n                    system users to learn about CBP\xe2\x80\x99s IT functions, processes, and\n                    capabilities. At headquarters, we met with CBP OIT officials\n                    including the Deputy Assistant Commissioner, Chief Technology\n                    Officer, branch chiefs, and program managers to discuss their roles\n                    and responsibilities related to CBP IT management. We also met\n                    with staff from OIT program offices, including the Passenger\n                    Systems Program Office, Cargo Systems Program Office, Wireless\n                    Systems Program Office, Border Enforcement and Management\n                    Systems Program Office, and Targeting and Analysis Systems\n                    Program Office.\n\n                    At CBP field locations, we met with senior managers, area service\n                    managers, field technology supervisors, field technology officers,\n                    import specialists, agents, pilots, port directors, and other system\n                    users to understand IT development practices, user requirements,\n                    and system use in the field. We discussed the current IT\n                    environment and the extent to which it met mission needs, local IT\n                    development practices, and user involvement and communication\n                    with headquarters. We collected supporting documents about\n                    CBP\xe2\x80\x99s IT environment, IT management functions, current\n                    initiatives, and improvement initiatives.\n\n\n\n\n              CBP Information Technology Management: Strengths and Challenges\n\n                                          Page 29\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                    We conducted audit fieldwork from October 2011 to January 2012\n                    at CBP headquarters offices in Washington, DC. We conducted\n                    additional audit fieldwork at CBP field offices and operational sites.\n\n                    We conducted this performance audit between October 2011 and\n                    April 2012 pursuant to the Inspector General Act of 1978, as\n                    amended, and according to generally accepted government\n                    auditing standards. Those standards require that we plan and\n                    perform the audit to obtain sufficient, appropriate evidence to\n                    provide a reasonable basis for our findings and conclusions based\n                    upon our audit objectives. We believe that the evidence obtained\n                    provides a reasonable basis for our findings and conclusions based\n                    upon our audit objectives.\n\n                    The principal OIG points of contact for this audit are Frank Deffer,\n                    Assistant Inspector General for Information Technology Audits,\n                    and Richard Harsche, Director of Information Management. Major\n                    OIG contributors to the audit are identified in appendix C.\n\n\n\n\n              CBP Information Technology Management: Strengths and Challenges\n\n                                          Page 30\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             CBP Information Technology Management: Strengths and Challenges\n\n                                         Page 31\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             CBP Information Technology Management: Strengths and Challenges\n\n                                         Page 32\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             CBP Information Technology Management: Strengths and Challenges\n\n                                         Page 33\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             CBP Information Technology Management: Strengths and Challenges\n\n                                         Page 34\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             CBP Information Technology Management: Strengths and Challenges\n\n                                         Page 35\n\x0cAppendix C\nMajor Contributors to This Report\n\n                    Richard Harsche, Division Director\n                    Steven Staats, Audit Manager\n                    Elizabeth Argeris, Auditor-In-Charge\n                    Swati Nijhawan, Auditor-In-Charge\n                    Erin Dunham, Auditor\n                    Sheila Cuevas, Auditor\n                    Anthony Nicholson, Referencer\n\n\n\n\n              CBP Information Technology Management: Strengths and Challenges\n\n                                          Page 36\n\x0cAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      CBP, Commissioner\n                      CBP, Deputy Commissioner\n                      CBP, Assistant Commissioner, Office of Information and\n                           Technology\n                      CBP Liaison\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n               CBP Information Technology Management: Strengths and Challenges\n\n                                           Page 37\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'